The Vulnerability Disclosure Rate in 2007

Posted by Gunter Ollmann on February 11, 2008 at 12:04 PM EST.

Last week a taster was provided as to the slight dip in new vulnerability disclosure rates for 2007. There have been several citations of the data after some of the security news blogs picked it up - along with some short external analysis pieces.

I found it interesting that several reporters hypothesized that it was due to the selling of vulnerabilities. I don't think so - at least not directly, and not in the way that they think.

In addition, based upon some of the comments I observed, a few people didn’t really understand that X-Force were talking about the rate of increase. That is to say there were around six and a half thousand brand new – never seen before – vulnerabilities added to the tens of thousands that businesses already have to protect themselves against. In that context, a 5.4 percent decrease can hardly deliver much good news – but I suppose it's better than an increase.

I guess the question for many people is “why the decrease?”

Here are my thoughts on what has probably influenced this marginal decrease in the rate of public disclosures (in order of influence value):

  1. Decreasing Appeal – by that I mean, the disclosure numbers have become so large that finding a vulnerability has much less impact nowadays. Just a couple of years ago, there was still a lot of kudos associated with being able to say that you had discovered dozens of vulnerabilities. That street-cred has diminished of late largely due to the high volume of fuzzer-found vulnerabilities by what many would call script-kiddies and the “statistical insignificance” of many finds.
    Don’t get me wrong, there are still a lot of professional (and would-be-professional) bug-hunters seeking out new vulnerabilities. However, to differentiate themselves from the fuzzing script-kiddies there’s been an increased emphasis on only really pursuing high-impact vulnerabilities – i.e. bugs that will stand out amongst the statistical hordes. This is probably an influence on the percentage increase in high-impact vulnerability disclosures in 2007.
  2. Vendor Improvements – in the way they test and QA new product releases have matured. Sure, this year’s top-10 vulnerable vendors probably looks much like any previous year, but most have been improving how they test the security of their products. It can be a little difficult to see because the major vendors are constantly releasing new software. If you take a look at the volume of products they supported throughout 2007 (both new products released in 2007 and previous years “current” product portfolios), you’ll probably notice that each had more software than ever before.
    However, the vast majority of software isn’t produced by the top-10 vendors – so John Doe’s auto-search PHP-scripted portal is unlikely to have been caught up in the “test the security before you ship it” movement.
  3. Professional bug-hunters – have increasingly achieved what they sought – i.e. to get noticed, and be paid by the vulnerable vendors themselves. I know literally hundreds of reverse-engineers and researchers that have great track records for finding vulnerabilities. Just about all of them are now employed as full-time security consultants – selling their skills to the vendors of the software they used to publicly disclose vulnerabilities in.
    Just about all of them drove the “revolution” in security testing and QA back in 2004/2005, and now contract their skills to the vendors – driving the improvements from within. I guess a regular salary beats a few disclosures on Bugtraq.
    Now don’t conclude that these professional bug-hunters aren’t still finding new vulnerabilities outside their vendor contracts. They still are. However, the volume of new discoveries is less – due to a mix of finding the time necessary to do the research, and only really pursing the juicy high-impact vulnerabilities that would improve their reputation (and consequently their consulting rates).
  4. Vulnerability purchase programs – have helped weed out a lot of the “lame” vulnerabilities and add an additional step (and time delay) to the vulnerability disclosure process. I think that many of the would-be-professional bug-hunters have found that, in order to earn money from their bugs, they have to do more work than just saying “if I do this, the application causes a stack overflow”.
    To sell their vulnerability, they have to prepare more information about their “security” flaw – all this takes time and effort. In addition, by going through this information gathering process, it becomes easier to uncover the exploit impact of the vulnerability – which probably causes more than a few would-be-professionals to go to the additional effort of proving that their “DoS” discovery could really be a reliable remote-access vulnerability (i.e. worth more money).

Obviously we’ll all be watching how vulnerability disclosures pan-out in 2008. I’m sure we’d all like to see the disclosure rate to continue to drop. However, there are a lot of dynamics to the vulnerability disclosure business and year-on-year rates have done unexpected things before.

Since so much of bug hunting is now tool-based using automated fuzzers, any substantial improvement in tool quality during 2008 could cause the total number of disclosures to sky rocket.

    Copyright 2001-2008 © Gunter Ollmann